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Period for Reply 


A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )K Responsive to communication(s) filed on 16 November 2001 . 
2a)n This action Is FINAL. 2b)^ This action is non-final. 

3) n Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) 13 Claim(s) 1-12 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed. 

6) ^ Claim(s) 1-12 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10) 0 The drawing(s) filed on is/are: a)n accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) n The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) 0 Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)n All b)n Some * c)^ None of: 

1 Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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1. Claims 1-12 have been examined. 

Claim Rejections - 35 USC § 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

3. Claims 1 - 12 are rejected under 35 U.S.C. 102(b) as being anticipated by Kim et al. ("The 
Design and Implementation of Tripwire: A File System Integrity Checker"). 

4. With respect to claim 1, Kim et al. disclose a method of detecting critical file changes, 
comprising: 

Reading events representing various types of system calls (page 27, Section 5.3, 
paragraph 1, lines 1-3); 

Routing the event to. an appropriate template, the event having multiple parameters (page 
27, Section 5.3, paragraph 1, lines 1-3; page 24, Section 4.2, paragraph 3 till column end); 

Filtering the event as either a possible intrusion based on the multiple parameters and 
either dropping the event or outputting the event (page 25, column 1, paragraph 1, lines 1-5); and 

Creating an intrusion alert if an event is output from said filtering step (page 25, column 
1, paragraph 1, lines 1-5). 
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5. With respect to claim 7, Kim et al. disclose a method of detecting critical file changes, 
comprising: 

Reading events including encoded information representing system calls (page 27, 
Section 5.3, paragraph 1, lines 1-3; page 23, colunrn 2, lines 7-8); 

Routing the event to an appropriate template based on the encoded information (page 27, 
Section 5.3, paragraph 1, lines 1-3; page 24, Section 4.2, paragraph 3 till column end; page 23, 
column 2, lines 7-8); 

Fihering the event as either a possible intrusion based on the encoded information and 
either dropping the event or outputting the event (page 25, column 1, paragraph 1, lines 1-5; page 
23, column 2, lines 7-8); and 

Creating an intrusion alert of an event is output from said filtering step (page 25, column 
1, paragraph 1, lines 1-5; page 23, column 2, lines 7-8). 

6. With respect to claims 2 and 8, Kim et al. disclose a method, wherein said filtering step 
outputs an event if the parameters indicate that the permission bits on a file or directory were 
changed (page 24, Section 4.2, paragraph 2, lines 1-4). 

7. .With respect to claims 3 and 9, Kim et al. disclose a method, wherein said filtering step 
outputs an event if the parameters indicate that a file was opened for truncation (page 24, Section 
4.2, paragraph 2, lines 1-4). 
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8. With respect to claims 4 and 10, Kim et al. disclose a method, wherein said filtering step 
outputs an event if the parameters indicate that ownership or group ownership of a file has been 
changed (page 24, Section 4.2, paragraph 2, lines 1-4). 

9. With respect to claims 5 and 11, Kim et al. disclose a method, comprising a create step which 
outputs an alert message if a file was renamed including a file that was renamed and a new name 
that the file was renamed to (Table 2; page 27, Section 5.3, paragraph 2, lines 3-5; page 25, 
column 1, paragraph 1, lines 1-5). 

10. With respect to claims 6 and 12, Kim et al. disclose a method, comprising configuring 
templates based on a list of files and directories to be included or excluded based on whether the 
files and directories are considered unmodifiable (page 24, column 1 , Configurability and 
Flexibility Section, paragraph 3, lines 1-4). 

Conclusion 

1 1. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. Rowland (U.S. Patent 6,405,318) also discloses the limitations of the independent 
claims and several of the dependent claims of the application. Moran (U.S. Patent 6,647,400) 
also discloses some of the independent and dependent claims in the invention. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ramya Ananthanarayanan whose telephone number is (571) 272- 
5860. The examiner can normally be reached on Monday through Friday, 8:30 -5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 


system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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